Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Yes , this is the good logs.That's the problem. lolThe only difference is the time. The module where this data drawn from war created by a partner of my company.And they send me a log file for example. I have only this lines with the user name to define the LOG IN and LOG OUT

3 Answers

OK, let's assume that login sessions are short. This means that if the distance between the last 2 events is less than 8 hours, then the last event is a logout and the one before is a login. If the distance between the last 2 is more than 8 hours, then the last event is a login and the one before is a logout.

So, there is literally no difference between login and logout records. That is a design or code error at the source, your company's partner. The logon records should say something like "ServiceHdlr.serviceStarted"

1) get rid of the startswith and endswith. Since the same wording is on both of them, you're only confusing splunk.

2) determine what a reasonable duration would be for a session, and set that as your maxspan value. leave maxpause as default (forever). set keeporphans=true.

Hi everybody,Thanks for your answers.The partner of my company send me a new log file with more details.....i do apologise for the inconvenience。 本当にごめんなさい！！！On the new log file , I have an event to define the beginning :LOG IN -- > Mar 1 21:45:41 XDSauth: 1488433541 |ConnectorSession.setNextServiceName |next service name = X Mar 1 21:45:41 XDSauth: 1488433541 |ServiceHdlr.serviceTerminated |next service = XLOG OUT --> Mar 1 21:47:05 XDSauth: 1488433625 |ServiceHdlr.serviceTerminated |next service = X Where X is the user name.

But the problem is : ServiceHdlr.serviceTerminatedI have this event twice.One after ConnectorSession.setNextServiceName and the next is to define the end of connection.

If I use startswith="ConnectorSession.setNextServiceName" endswith="ServiceHdlr.serviceTerminated"The result is :2017-03-02 14:45:39.000 ConnectorSession.setNextServiceName2017-03-02 14:45:41.000 ServiceHdlr.serviceTerminated

But the end of the connection is : 2017-03-02 14:46:13.000

With this new log file, that's more easier to define the beginning but I have still a problem to define the End.

Maybe create a condition to select the second event "ServiceHdlr.serviceTerminated" ?

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.